---
title: Customizing the Cloud Foundry Deployment Manifest Stub for vSphere, vCloud Air, or vCloud Director
owner: Release Integration
---

<strong><%= modified_date %></strong>

This topic describes how to customize the Cloud Foundry deployment manifest stub for vSphere, vCloud Air, or vCloud Director. 

To create a Cloud Foundry manifest, you must perform the following steps:

1. Use the BOSH CLI to [retrieve your BOSH Director UUID](#bosh-uuid), which you use to customize your manifest stub.
1. Create a manifest stub in YAML format. See the [example manifest stub](#stub) for vSphere, vCloud Air, or vCloud Director below, and follow the [editing instructions](#editing) to customize it for your deployment.
1. Use a script to combine the manifest stub with other configuration files in the `cf-release` repository to [generate your deployment manifest](#generate).

<p class="note"><strong>Note</strong>: vSphere defaults to using an internal WebDAV blobstore for the Cloud Controller. For alternative blobstore configurations, see <a href="/deploying/common/cc-blobstore-config.html">Cloud Controller Blobstore Configuration</a>.</p>

##<a id='bosh-uuid'></a> Step 1: Retrieve Your BOSH Director UUID

<%= partial '../common/bosh_uuid' %>

##<a id='stub'></a> Step 2: Create Your Manifest Stub

Review the [example manifest stub](#example-stub), and then follow the [editing instructions](#editing) to customize it for your deployment.

###<a id="example-stub"></a>Cloud Foundry Deployment Manifest Stub ##

<%= yield_for_code_snippet from: 'cloudfoundry/cf-release', at: 'cf-stub-vsphere' %>

###<a id="editing"></a>Editing Instructions ##

<table border="1" class="nice">
  <tr>
    <th style="width:35%">Deployment Manifest Stub Contents</th>
    <th>Editing Instructions</th>
  </tr>
  <tr>
    <td><pre><code>
meta:
  environment: ENVIRONMENT
    </code></pre></td>
    <td>Replace <code>ENVIRONMENT</code> with an arbitrary name describing your environment, for example <code>vsphere-prod</code>.
    </td>
  </tr>
  <tr>
    <td><pre><code>
director_uuid: DIRECTOR_UUID
    </code></pre></td>
    <td>Replace <code>DIRECTOR_UUID</code> with the BOSH Director UUID. Run the BOSH CLI command <code>bosh status --uuid</code> to view the BOSH Director UUID.
    </td>
  </tr>
  <tr>
    <td><pre><code>
networks:
  - name: cf1
    subnets:
    - range: 10.85.9.0/24
      gateway: 10.85.9.1
      reserved:
      - 10.85.9.2 - 10.85.9.100
      - 10.85.9.200 - 10.85.9.210
      dns:
      - 10.87.8.10
      - 10.87.8.11
      static:
      - 10.85.9.230 - 10.85.9.254
      cloud_properties:
        name: VSPHERE_NETWORK_NAME_1

  - name: cf2
    subnets:
    - range: 10.85.10.0/24
      gateway: 10.85.10.1
      reserved:
      - 10.85.10.2 - 10.85.10.100
      - 10.85.10.200 - 10.85.10.210
      dns:
      - 10.87.8.10
      - 10.87.8.11
      static:
      - 10.85.10.230 - 10.85.10.254
      cloud_properties:
        name: VSPHERE_NETWORK_NAME_2
    </code></pre></td>
    <td>This examples assumes a two-network deployment. Replace <code>VSPHERE_NETWORK_NAME_1</code> and
    <code>VSPHERE_NETWORK_NAME_2</code> with names of networks in your vSphere datacenter. Update the values for
    <code>range</code>, <code>reserved</code>, <code>static</code>, <code>dns</code>, and <code>gateway</code> accordingly.
    </td>
  </tr>
  <tr>
    <td><pre><code>
properties:
  system_domain: SYSTEM_DOMAIN
  system_domain_organization: SYSTEM_DOMAIN_ORGANIZATION
  app_domains:
   - APP_DOMAIN
    </code></pre></td>
    <td>Replace <code>SYSTEM_DOMAIN</code> and <code>APP_DOMAIN</code> with the full domain you want associated with applications pushed to your Cloud Foundry installation, for example <code>cloud-09.cf-app.com</code>. You must have already acquired these domains and configured their DNS records so that these domains resolve to your load balancer.
    <br/><br/>
    Choose a name for the <code>SYSTEM_DOMAIN_ORGANIZATION</code>. This organization will be created and configured to own the <code>SYSTEM_DOMAIN</code>.
    </td>
  </tr>
  <tr>
    <td><pre><code>
  cc:
    staging_upload_user: STAGING_UPLOAD_USER
    staging_upload_password: STAGING_UPLOAD_PASSWORD
    bulk_api_password: BULK_API_PASSWORD
    db_encryption_key: CCDB_ENCRYPTION_KEY
    mutual_tls:
      ca_cert: CC_MUTUAL_TLS_CA_CERT
      public_cert: CC_MUTUAL_TLS_PUBLIC_CERT
      private_key: CC_MUTUAL_TLS_PRIVATE_KEY
    </code></pre></td>
    <td>
      The Cloud Controller API endpoint requires basic authentication. Replace <code>STAGING_UPLOAD_USER</code> and <code>STAGING_UPLOAD_PASSWORD</code> with a username and password of your choosing.
      <br /><br />
      Replace <code>BULK_API_PASSWORD</code> with a password of your choosing. The password cannot contain characters that are not allowed for basic authentication unless you encode the characters. Health Manager uses this password to access the Cloud Controller bulk API.
      <br /><br />
      Replace <code>CCDB_ENCRYPTION_KEY</code> with a secure key that you generate to encrypt sensitive values in the Cloud Controller database.
      You can use any random string. For example, run the following command from a command line to generate a 32-character random string: <code>LC_ALL=C tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 32 ; echo</code>
      <br /><br />

      To generate the certificates and keys for the <code>mutual_tls</code> section, you need the <a href="https://github.com/cloudfoundry/cf-release/blob/master/scripts/generate-cf-diego-certs">generate-cf-diego-certs script</a> from the <code>cf-release</code> repository.

      Run the <code>generate-cf-diego-certs</code> script to generate the certificates and keys for Cloud Controller.
      <br>
      For example, run the following in a terminal window:
      <pre class=terminal>$ ./scripts/generate-cf-diego-certs</pre>
      This script outputs a directory named <code>cf-diego-certs</code> that contains a set of files with the certificates and keys you need.

      <table>
        <tr>
          <th>In the stub, replace&hellip;</th>
          <th>with the contents of this file&hellip;</th>
        </tr>
        <tr>
          <td><code>CC_MUTUAL_TLS_CA_CERT</code></td>
          <td><code>cf-diego-ca.crt</code></td>
        </tr>
        <tr>
          <td><code>CC_MUTUAL_TLS_PUBLIC_CERT</code></td>
          <td><code>cloud-controller.crt</code></td>
        </tr>
        <tr>
          <td><code>CC_MUTUAL_TLS_PRIVATE_KEY</code></td>
          <td><code>cloud-controller.key</code></td>
        </tr>
      </table>
    </td>
  </tr>

  <tr>
    <td><pre><code>
  consul:
    encrypt_keys:
      - CONSUL_ENCRYPT_KEY
    ca_cert: CONSUL_CA_CERT
    server_cert: CONSUL_SERVER_CERT
    server_key: CONSUL_SERVER_KEY
    agent_cert: CONSUL_AGENT_CERT
    agent_key: CONSUL_AGENT_KEY
    </code></pre></td>
    <td>See the <a href="../common/consul-security.html">Security Configuration for Consul</a> topic.
    </td>
  </tr>
  <tr>
  <td><pre><code>
  etcd:
    require_ssl: true
    ca_cert: ETCD_CA_CERT
    client_cert: ETCD_CLIENT_CERT
    client_key: ETCD_CLIENT_KEY
    peer_ca_cert: ETCD_PEER_CA_CERT
    peer_cert: ETCD_PEER_CERT
    peer_key: ETCD_PEER_KEY
    server_cert: ETCD_SERVER_CERT
    server_key: ETCD_SERVER_KEY
    </code></pre></td>
    <td>
      Generate SSL certs for etcd and replace these values. 
      You can use the <code>scripts/generate-etcd-certs</code> script 
      in the <code>cf-release</code> repository to generate self signed certs.
    </td>
  </tr>
  <tr>
    <td><pre><code>
    loggregator:
      tls:
        ca_cert: LOGGREGATOR_CA_CERT
        doppler:
          cert: LOGGREGATOR_DOPPLER_CERT
          key: LOGGREGATOR_DOPPLER_KEY
        trafficcontroller:
          cert: LOGGREGATOR_TRAFFICCONTROLLER_CERT
          key: LOGGREGATOR_TRAFFICCONTROLLER_KEY
        metron:
          cert: LOGGREGATOR_METRON_CERT
          key: LOGGREGATOR_METRON_KEY
        syslogdrainbinder:
          cert: LOGGREGATOR_SYSLOGDRAINBINDER_CERT
          key: LOGGREGATOR_SYSLOGDRAINBINDER_KEY
      </code></pre></td>
    <td>To generate the certificates and keys for the Loggregator components, you need:
  <ul> 
    <li>The original CA certificate and key used to sign the keypairs for TLS
        between the Cloud Controller and the Diego BBS</li>
    <li>The <a href="https://github.com/cloudfoundry/cf-release/blob/master/scripts/generate-loggregator-certs">generate-loggregator-certs script</a> from the <code>cf-release</code> repository</li>
  </ul>
Run <code>generate-loggregator-certs CA_CERT CA_KEY</code> to generate the certificates and keys for Loggregator. Replace <code>CA_CERT</code> with the path and filename for the original CA certificate, and <code>CA_KEY</code> with the path and filename for the corresponding key.
    <br>
    For example, run the following in a terminal window:
    <pre class=terminal>$ ./scripts/generate-loggregator-certs cf-ca.cert cf-ca.key</pre>
    This script outputs a directory named <code>loggregator-certs</code> that contains a set of files with the certificates and keys you need for Loggregator.

    <table>
      <tr>
        <th>In the stub, replace&hellip;</th>
        <th>with the contents of this file&hellip;</th>
      </tr>
      <tr>
        <td><code>LOGGREGATOR_CA_CERT</code></td>
        <td><code>loggregator-ca.crt</code></td>
      </tr>
      <tr>
        <td><code>LOGGREGATOR_DOPPLER_CERT</code></td>
        <td><code>doppler.crt</code></td>
      </tr>
      <tr>
        <td><code>LOGGREGATOR_DOPPLER_KEY</code></td>
        <td><code>doppler.key</code></td>
      </tr>
      <tr>
        <td><code>LOGGREGATOR_TRAFFICCONTROLLER_CERT</code></td>
        <td><code>trafficcontroller.crt</code></td>
      </tr>
      <tr>
        <td><code>LOGGREGATOR_TRAFFICCONTROLLER_KEY</code></td>
        <td><code>trafficontroller.key</code></td>
      </tr>
      <tr>
        <td><code>LOGGREGATOR_METRON_CERT</code></td>
        <td><code>metron.crt</code></td>
      </tr>
      <tr>
        <td><code>LOGGREGATOR_METRON_KEY</code></td>
        <td><code>metron.key</code></td>
      </tr>
      <tr>
        <td><code>LOGGREGATOR_SYSLOGDRAINBINDER_CERT</code></td>
        <td><code>syslogdrainbinder.crt</code></td>
      </tr>
      <tr>
        <td><code>LOGGREGATOR_SYSLOGDRAINBINDER_KEY</code></td>
        <td><code>syslogdrainbinder.key</code></td>
      </tr>
    </table>      
    </td>
  </tr>
  <tr>
    <td><pre><code>
  loggregator_endpoint:
    shared_secret: LOGGREGATOR_ENDPOINT_SHARED_SECRET
    </code></pre></td>
    <td>Replace <code>LOGGREGATOR_ENDPOINT_SHARED_SECRET</code> with a secure string that you generate.
    </td>
  </tr>
  <tr>
    <td><pre><code>
    login:
      protocol: http
      saml:
        serviceProviderCertificate: SERVICE_PROVIDER_CERTIFICATE
        serviceProviderKey: SERVICE_PROVIDER_PRIVATE_KEY
    </code></pre></td>
    <td>Generate a PEM-encoded RSA key pair. You can generate a key pair by running the 
        command <code>openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout key.pem -out cert.pem</code>
        This command creates <code>cert.pem</code>, which contains your public key, and <code>key.pem</code>, 
        which contains your private key. Replace <code>SERVICE_PROVIDER_PRIVATE_KEY</code> with the full private key, 
        include the <code>BEGIN</code> and <code>END</code> delimiter lines, under <code>serviceProviderKey</code>.</br>
        For RSA keys, you only need to configure the private key.
    </td>
  </tr>
  <tr>
    <td><pre><code>
  nats:
    user: NATS_USER
    password: NATS_PASSWORD
    </code></pre></td>
    <td>Replace <code>NATS_USER</code> and <code>NATS_PASSWORD</code> with a username and secure password of your choosing. Cloud Foundry components use these credentials to communicate with each other over the NATS message bus.
      </td>
  </tr>
  <tr>
    <td><pre><code>
  router:
    status:
      user: ROUTER_USER
      password: ROUTER_PASSWORD
    </code></pre></td>
    <td>
      Replace <code>ROUTER_USER</code> and <code>ROUTER_PASSWORD</code> with a username and secure password of your choosing.
      </td>
  </tr>
  <tr>
    <td><pre><code>
  uaa:
    admin:
      client_secret: ADMIN_SECRET
    cc:
      client_secret: CC_CLIENT_SECRET
    clients:
      cc-service-dashboards:
        secret: CC_SERVICE_DASHBOARDS_SECRET
      cc_routing:
        secret: CC_ROUTING_SECRET
      cloud_controller_username_lookup:
        secret: CLOUD_CONTROLLER_USERNAME_LOOKUP_SECRET
      doppler:
        secret: DOPPLER_SECRET
      gorouter:
        secret: GOROUTER_SECRET
      tcp_emitter:
        secret: TCP-EMITTER-SECRET
      tcp_router:
        secret: TCP-ROUTER-SECRET
      login:
        secret: LOGIN_CLIENT_SECRET
      notifications:
        secret: NOTIFICATIONS_CLIENT_SECRET
    </code></pre></td>
    <td>Replace the values for all <code>secret</code> keys with secure secrets that you generate. <br><br>You can configure container-to-container networking in this section. If you want to deploy container-to-container networking, see the <i>Enable on an IaaS</i> section of the <a href="../../devguide/deploy-apps/cf-networking.html#iaas">Administering Container-to-Container Networking</a> topic, beginning with step 4.
    </td>
  </tr>
  <tr>
    <td><pre><code>
    jwt:
      verification_key: JWT_VERIFICATION_KEY
      signing_key: JWT_SIGNING_KEY
    </code></pre></td>
    <td>Generate a PEM-encoded RSA key pair, and replace <code>JWT_SIGNING_KEY</code> with the private key, and <code>JWT_VERIFICATION_KEY</code>
        with the corresponding public key. Generate a key pair by running the command <code>openssl genrsa -out jwt-key.pem 2048 && openssl rsa -pubout -in jwt-key.pem -out jwt-key.pem.pub</code>.
        This command creates <code>jwt-key.pem.pub</code>, which contains your public key, and <code>jwt-key.pem</code>, which contains your private key.<br/>
    Copy in the full keys, including the <code>BEGIN</code> and <code>END</code> delimiter lines.
    </td>
  </tr>
  <tr>
    <td><pre><code>
    scim:
      users:
        - admin|ADMIN_PASSWORD|scim.write,scim.read,o...
    </code></pre></td>
    <td>Generate a secure password and replace <code>ADMIN_PASSWORD</code> with that value to set the password for the Admin user of your Cloud Foundry installation.
    </td>
  </tr>
  <tr>
    <td><pre><code>
    sslCertificate: UAA_SERVER_CERT
    sslPrivateKey: UAA_SERVER_KEY
    </code></pre></td>
    <td>Replace <code>UAA_SERVER_CERT</code> and <code>UAA_SERVER_KEY</code> with UAA certificates. You can use the <code>scripts/generate-uaa-certs</code> script in the <code>cf-release</code> repository to generate self-signed certificates.</td>
    </td>
  </tr>
  <tr>
    <td><pre><code>
  ccdb:
    roles:
    - name: ccadmin
      password: CCDB_PASSWORD
  uaadb:
    roles:
    - name: uaaadmin
      password: UAADB_PASSWORD
  databases:
    roles:
    - name: ccadmin
      password: CCDB_PASSWORD
    - name: uaaadmin
      password: UAADB_PASSWORD
    </code></pre></td>
    <td>Replace <code>CCDB_PASSWORD</code> and <code>UAADB_PASSWORD</code> with secure passwords of your choosing.
  </td>
  </tr>
  <tr>
    <td><pre><code>
  hm9000:
    ca_cert: HM9000_CA_CERT
    server_cert: HM9000_SERVER_CERT
    server_key: HM9000_SERVER_KEY
    agent_cert: HM9000_AGENT_CERT
    agent_key: HM9000_AGENT_KEY
    </code></pre></td>
    <td>
      Generate SSL certificates for HM9000 and replace these values. You can use the <code>scripts/generate-hm9000-certs</code> script in the <code>cf-release</code> repository to generate self signed certificates.
    </td>
  </tr>
  <tr>
    <td><pre><code>
jobs:
- name: ha_proxy_z1
  properties:
    ha_proxy:
      ssl_pem: |
        -----BEGIN RSA PRIVATE KEY-----
        RSA_PRIVATE_KEY
        -----END RSA PRIVATE KEY-----
        -----BEGIN CERTIFICATE-----
        CERTIFICATE
        -----END CERTIFICATE-----
    </code></pre></td>
    <td>Replace <code>RSA_PRIVATE_KEY</code> and <code>CERTIFICATE</code> with the private key and certificate for SSL termination of the DNS domains you pointed at the HAProxy static IP address. Typically, this certificate is for wildcard subdomains of your <code>SYSTEM_DOMAIN</code> and <code>APPS_DOMAIN</code>.
  </td>
  </tr>
</table>

<%= partial '../common/additional_config' %>

<p class="note"><strong>Note</strong>: HAProxy is deployed by default as your external-facing load balancer. In vSphere, you can use F5 instead of HAProxy. However, setting up F5 requires advanced configuration. F5 setup instructions are not covered in this documentation.</p>

##<a id='generate'></a>Step 3: Generate Your Manifest

<%= partial '../common/generic_manifest' %>
